heroui logo

Network Connection with Suspicious Folder

Anvilogic Forge

View Source
Summary
This detection rule is designed to identify potentially malicious activities related to network connections where files are downloaded to suspicious directories such as 'Temp', 'Appdata', and 'Downloads'. These directories are often targeted by threat actors for storing payloads and stolen data. The rule utilizes a combination of Sysmon Event Codes (specifically Event Code 3 for network connection events) and regex matching to capture instances where processes interact with these common but risky file locations. The focus on notable threat actor groups, including Alloy Taurus, Lazarus, and others, highlights the rule's relevance in tracking sophisticated malicious behavior often associated with files being downloaded in these directory paths. The rule's implementation through Splunk emphasizes the importance of event-driven analysis, leveraging the ability to incrementally scan for these patterns over time. Additionally, coupling this detection with techniques associated with command-and-control ingress tool transfers (T1105) enhances the proactive stance against data exfiltration and remote spawning of payloads through legitimate-looking network activities. The use of Sysmon's detailed logging allows for comprehensive insight into potential nefarious behavior, contributing to better incident response and threat hunting efforts in a Windows environment.
Categories
  • Endpoint
  • Windows
Data Sources
  • Process
  • Network Traffic
  • Windows Registry
ATT&CK Techniques
  • T1105
Created: 2024-02-09